b"MEMORANDUM\n\nTO             :      Judith E. Heumann\n                      Assistant Secretary\n                      Office of Special Education and Rehabilitative Services\n\nFROM           :      John P. Higgins, Jr.\n                      Acting Assistant Inspector General\n                      Analysis and Inspection Services\n\nSUBJECT        :      Results of the OIG Review of OSERS\xe2\x80\x99 Internal Controls Over the\n                      Procurement of Goods and Services (A&I 2000-005)\n\n\nINTRODUCTION\n\nThis memorandum transmits the results of our review of OSERS\xe2\x80\x99 internal controls over\nthe procurement of goods and services. This review is part of OIG\xe2\x80\x99s Department-wide\nreview of this area. The Department\xe2\x80\x99s management is responsible for establishing and\nmaintaining internal controls. We will transmit the Department-wide results to the\nDeputy Secretary with copies to the Assistant Secretaries and other senior staff when we\ncomplete our review. On July 7, 2000, OIG staff met with you and your Deputy, Curtis\nRichards, to discuss the results of this review. On July 13, 2000, OIG staff completed\ntheir briefing with you, Mr. Richards, Andrew Pepin, Paul O\xe2\x80\x99Connell and Linda Cornett.\n\nRESULTS\n\nDuring our review, we identified within OSERS an area of noncompliance with current\nDepartment policies and procedures for the Purchase Card Program. Purchase cards have\nbeen shared among employees in OSERS with management\xe2\x80\x99s knowledge. The\nDepartment\xe2\x80\x99s Directive on Commercial Credit Card Service states: \xe2\x80\x9cEach card has the\ncardholder\xe2\x80\x99s name embossed on it and may be used only by that person. No one else is\nauthorized to use the card.\xe2\x80\x9d\n\nWe also identified four instances of possible noncompliance with the Federal Acquisition\nRegulation (FAR) and current Department policies and procedures. The FAR requires\nthe solicitation of quotes or offers from a reasonable number of sources or sole-source\njustification for any purchase of more than $2,500. We identified four purchases over\n$2,500 in fiscal year 1999 where there was no documentation to verify that these\npurchases were made with the solicitation of at least three bids or to justify a sole-source\npurchase. The four purchases were from (1) Blazie Engineering Inc. for $9,653 for\n\x0cBraille equipment, (2) Future Enterprises Inc. for $7,051 for a projector, (3) Colorcraft\nfor $3,035 for brochures, and (4) Marriott Hotels for $2,641 for meeting room space.\n\nBased on our review, we identified certain internal control deficiencies, in addition to the\ncompliance issues described above, that prevent OSERS from satisfying the General\nAccounting Office (GAO) Standards for Internal Control in the Federal Government.\nFor your information and corrective action, those deficiencies are listed in the attached\nchart (Attachment A). In the future, we anticipate conducting a follow-up review to\nassess the actions you have taken to satisfy GAO\xe2\x80\x99s Standards for Internal Control in the\nFederal Government.\n\nIn addition, we want to advise you and OSERS managers of inherent vulnerabilities we\nidentified in two Department procurement systems.\n\n\xc3\xbc Purchase Cards \xe2\x80\x93 For efficiency reasons, the Department designed a purchase card\n  system where cardholders can order, receive and approve payments for goods and\n  services. Consequently, as a control, the Department established approving officials\n  to review the use of purchase cards. Therefore, it is important that approving officials\n  properly review all cardholder statements, including invoices, before forwarding them\n  to the Office of the Chief Financial Officer (OCFO) for payment.\n\n\xc3\xbc Third Party Draft System (TPDS) \xe2\x80\x93 An individual with signature authority can issue\n  TPDS checks without the involvement of anyone else. Therefore, it is important that,\n  at a minimum, the supervisor of the individual with signature authority conduct\n  periodic reviews of TPDS disbursements.\n\nDuring our review, we noted that some OSERS employees assigned purchase cards are\nbelow the minimum grade level (GS-9) required to receive annual ethics training.\nBecause of their procurement responsibilities, we believe that ethics training would\nbenefit these employees. Management should require them to attend annual ethics\ntraining.\n\nOTHER MATTERS\n\nOSERS is responsible for several contracts. One contract with Educational Services, Inc.\nallows the contractor to purchase laptop computers for use by reviewers. Based on our\nlimited work in this area, we identified the following issues related to contracts:\n\n       Risk Assessment \xe2\x80\x93 There is no formal risk assessment process for contracts.\n       OSERS should conduct a review periodically to determine if risks have changed\n       and whether it is managing existing risks appropriately.\n\n       Control Activities \xe2\x80\x93 We were informed that the Contracting Officer\xe2\x80\x99s Technical\n       Representative (COTR) has not obtained a listing of equipment purchased under\n       the Educational Services, Inc. contract. An inventory of the equipment purchased\n\x0c       under the contract would be useful to ensure that the equipment is properly\n       disposed of when the contract expires.\n\nDuring our review, we identified the following practice that we believe strengthens\ninternal controls:\n\n       Control Activities \xe2\x80\x93 In March 2000, the Executive Officer of OSERS\n       implemented a policy requiring that all monthly purchase card statements include\n       a certification statement signed by the cardholders and their supervisors. Such a\n       certification statement is a method for cardholders and their supervisors to\n       acknowledge responsibility for executing transactions in accordance with\n       applicable laws and regulations.\n\nOBJECTIVE\n\nOur review objective was to assess the internal controls over compliance with laws and\nregulations for the procurement of goods and services other than studies or evaluations.\n\nSCOPE\n\nWe limited our work to procurements in Washington, D.C. (Headquarters). Although we\ninterviewed staff regarding contracts for the purchase of goods and services, we did not\nreview contract files. We limited testing of accounting records to procurements using\nthe Third Party Draft System (TPDS) and Purchase Cards. We did not conduct testing on\nOSERS\xe2\x80\x99 use of the \xe2\x80\x9cCorporate\xe2\x80\x9d Government Travel Account.\n\nMETHODOLOGY\n\nTo achieve our objectives, we conducted interviews with OSERS staff who were\ninvolved with the procurement process, and we reviewed relevant documents. As part of\nour work, we reviewed samples of TPDS checks and purchase card transactions. For\nTPDS, we selected a random sample of 50 TPDS checks issued between October 1998\nthrough September 1999 (FY 1999) and October 1999 through January 2000 (FY 2000).\nOSERS had eight (8) cardholders located in Headquarters. We judgmentally selected a\nsample of 16 monthly card statements dated between October 16, 1998 and February 16,\n2000. Then we selected 50 transactions (47 purchases and 3 credits) to review. In\nselecting our sample, we did not include any transactions dated prior to October 1, 1998.\nWe also reviewed OSERS\xe2\x80\x99 monthly card statements that were in OCFO\xe2\x80\x99s files for the\nmonths of September 1999 and March 2000.\n\nWe based our conclusions about OSERS\xe2\x80\x99 internal controls on the information gathered\nduring our interviews and transaction testing. We conducted our interviews and\ntransaction testing between March 13, 2000 and May 3, 2000. We assessed OSERS\xe2\x80\x99\ninternal controls based on GAO\xe2\x80\x99s Standards for Internal Control in the Federal\nGovernment issued November 1999. Attachment B to this memorandum contains a\nsummary of the GAO Standards. We conducted our work in accordance with the\n\x0cPresident's Council on Integrity and Efficiency (PCIE) Quality Standards for Inspection\ndated March 1993.\n\nWe appreciate the cooperation shown by your staff during our review. If you have any\nquestions regarding the results of this review, please call me at 205-5439.\n\nAttachments\n\ncc:    Deputy Secretary\n\x0c                                                                          Attachment B\n\n          GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government\n                        Components of Internal Control\n\n\xe2\x80\xa2   Control Environment \xe2\x80\x93 Management and employees should establish and maintain\n    an environment throughout the organization that sets a positive and supportive\n    attitude toward internal controls and conscientious management.\n\n    Factors:\n\n    3 Management and staff maintain and demonstrate integrity and ethical values.\n\n    3 Management maintains an active commitment to competence.\n\n    3 Management\xe2\x80\x99s philosophy and operating style exerts a positive influence on the\n      organization (especially toward information systems, accounting, personnel\n      functions, monitoring and audits).\n\n    3 Organizational structure is appropriately centralized or decentralized, and\n      facilitates the flow of information across all activities.\n\n    3 Agency delegates authority and responsibility and establishes related policies\n      throughout the organization in a manner that provides for accountability and\n      control.\n\n    3 Agency establishes human resource policies and practices that enable it to recruit\n      and retain competent people to achieve its goals.\n\n\xe2\x80\xa2   Risk Assessment \xe2\x80\x93 Internal controls should provide for an assessment of the risks the\n    agency faces from both external and internal sources.\n\n       Precondition: establishment of clear and consistent agency objectives.\n\n       Risk assessment : the comprehensive identification and analysis of relevant risks\n       associated with achieving agency objectives, like those defined in strategic and\n       GPRA annual performance plans, and forming a basis for determining how the\n       agency should manage risks.\n\n       Risk identification: methods may include qualitative and quantitative ranking\n       activities, management conferences, forecasting and strategic planning, and\n       consideration of findings from audits and other assessments.\n\n       Risk analysis: generally includes estimating the risk\xe2\x80\x99s significance, assessing the\n       likelihood of its occurrence, and deciding how the agency should manage its risk.\n\x0c\xe2\x80\xa2   Control Activities \xe2\x80\x93 Internal control activities help ensure that employees carry out\n    management directives. The control activities should effectively and efficiently\n    accomplish agency control objectives.\n\n    3 The control activities are the policies, procedures, techniques, and mechanisms\n      that enforce management\xe2\x80\x99s directives. They help ensure that employees take\n      actions to address risks.\n\n    3 Control activities occur at all levels and functions of the entity, and include a wide\n      range of diverse activities such as approvals, authorizations, verifications,\n      reconciliations, performance reviews, maintenance of security, and creation and\n      maintenance of related records that document the execution of these activities.\n\n\xe2\x80\xa2   Information and Communications \xe2\x80\x93 Employees should record and communicate\n    information to management and others within the entity who need it in a form and\n    within a time frame that enables them to carry out their internal control (and other)\n    responsibilities effectively and efficiently.\n\n    3 An organization must have relevant, reliable, and timely communications relating\n      to internal as well as external events. Information is needed throughout the\n      agency to achieve all its operational and financial objectives.\n\n    3 Effective communications should occur in a broad sense with information flowing\n      down, across, and up the organization.\n\n    3 Management should ensure there are adequate means of communicating with, and\n      obtaining information from, external stakeholders that may have a significant\n      impact on the agency achieving its goals.\n\n\xe2\x80\xa2   Monitoring \xe2\x80\x93 Internal control monitoring should assess the quality of performance\n    over time and ensure that audit and other review findings are promptly resolved.\n\n    3 Includes regular management and supervisory activities, comparisons,\n      reconciliations, and other actions employees take in performing their duties.\n\n    3 Should include policies and procedures for ensuring that audit and other review\n      findings are promptly resolved.\n\x0c                                                                                                                  Attachment A\n\nInternal Control Evaluation Form for the Office of Special Education and Rehabilitative Services\n\nControl Component     Deficiencies\nControl Environment   \xe2\x80\xa2 Training\n                         3 OSERS has two cardholders who have not taken the required purchase card training. In addition, all\n                             procurement staff could benefit from refresher training.\n\nRisk Assessment       \xe2\x80\xa2   Identification of Risks\n                          3 OSERS has no formal procedures for risk assessment in the procurement area.\n                          3 One Director has had only a low risk background investigation completed while the Director\xe2\x80\x99s\n                             position has been designated high risk. On April 7, 2000, OIG sent a memorandum to OSERS\xe2\x80\x99\n                             Executive Officer requesting forms for a higher level investigation for this Director. As of July 6,\n                             2000, OIG had not received the requested forms. This Director also is a current purchase cardholder.\n                          3 Two purchase cardholders have been assigned to lower risk security levels than are appropriate based\n                             on the employees\xe2\x80\x99 responsibilities.\n\nControl Activities    \xe2\x80\xa2   Policies and Procedures\n                          3 The Department\xe2\x80\x99s Directive on Commercial Credit Card Service (C:FIM:6-102) dated March 12,\n                             1990 requires that Principal Offices establish internal procedures on the safeguarding and authorized\n                             use of credit cards. Although OSERS\xe2\x80\x99 Executive Officer and Budget Analyst convey Federal\n                             Acquisition Regulation purchasing guidance via electronic mail, OSERS has no written policies and\n                             procedures on the purchase card process. During our review, one cardholder was uncertain about the\n                             order of the approval process for purchases.\n\n                      \xe2\x80\xa2   Third Party Draft System (TPDS) Checks\n                          3 During the period of our review, OSERS issued multi-TPDS checks to pay for invoices over $10,000.\n                             The Executive Officer informed us that OSERS has discontinued this practice and is now handling\n                             invoices over $10,000 by electronic funds transfer or \xe2\x80\x9cTreasury\xe2\x80\x9d checks.\n                          3 In a random sample of 50 TPDS checks, we noted that all 50 TPDS checks were approved by the\n                             Executive Officer and the invoices had been dated stamped. However, in two instances, invoices\n\x0c      were not paid timely. One invoice totaled $5,000 and was four days late, thus resulting in minimal\n      penalty interest. The other invoice totaled $330 and was 17 days late; however, no penalty interest\n      was noted as being paid. In a February 1998 OCFO memorandum to OSERS, it was noted that three\n      invoices were paid too late and, in 46 instances, invoices were paid too early. Under the Prompt\n      Payment Act, invoices are due either on the date specified in the contract, or the invoices are to be\n      paid within 30 days after receipt, but no sooner than seven days prior to the due date.\n    3 The supporting invoice for one \xe2\x80\x9cClaim for Reimbursement for Expenditures on Official Business\xe2\x80\x9d\n      posed questions that OSERS staff were unable to resolve. The claim was for the purchase of\n      software. The billing and shipping information on the invoice was to an individual with the same\n      surname as the employee submitting the claim. The address on the invoice was a non-ED address.\n      OSERS staff told us that they thought that the individual named on the invoice is the spouse of the\n      employee. During the process of approving the claim, an explanation of the invoice should have\n      been added to the supporting documents.\n\n\xe2\x80\xa2    Approval of Monthly Purchase Card Statements\n     3 We reviewed the September 1999 and March 2000 OSERS card statements from OCFO files. Our\n       purpose was to verify that OSERS had submitted all its monthly card statements with activity to\n       OCFO and that the Approving Official had signed the card statements.\n       \xe2\x80\xa2 Seventeen cards had activity in September 1999. We noted the following:\n          3 Six (6) card statements were not in OCFO\xe2\x80\x99s files.\n          3 The Approving Official did not sign three (3) regional card statements.\n       \xe2\x80\xa2 Eighteen cards had activity in March 2000. We noted the following:\n          3 All 18 card statements were in OCFO\xe2\x80\x99s files.\n          3 The Approving Official did not sign one (1) Headquarters card statement.\n\n\xe2\x80\xa2   Recordkeeping \xe2\x80\x93 Purchase Cards\n    3 We reviewed 16 card statements. Twelve were not reconciled by the cardholder to the EDCAPS log.\n      Nine (9) of the 12 were reconciled to the cardholders\xe2\x80\x99 own logs. We were unable to reconcile two of\n      the remaining card statements.\n    3 We reviewed 50 purchase card transactions:\n       \xe2\x80\xa2 In three instances, documentation was incomplete.\n           3 For a purchase of $3,035, documentation consisted of a delivery ticket without a purchase\n              price.\n\x0c                            3 For a purchase of $1,781, documentation consisted of a credit card slip without the vendor\xe2\x80\x99s\n                                name.\n                            3 For a purchase of $1,663, supporting invoices only totaled $1,647, a difference of $16.\n                        \xe2\x80\xa2   As mentioned in the cover memorandum, we identified four transactions that were over $2,500.\n                            There was no documentation to verify that these purchases were made with the solicitation of at\n                            least three oral bids or to justify a sole-source purchase.\n\n                 \xe2\x80\xa2   Authorization\n                     \xc3\xbc As mentioned in the cover memorandum, although prohibited by the Department\xe2\x80\x99s Directive on\n                       Commercial Credit Card Services, purchase cards were shared among employees.\n\nInformation &    \xe2\x80\xa2   Communication of Key Information\nCommunications       3 OSERS\xe2\x80\x99 procurement staff were unfamiliar with the Department\xe2\x80\x99s Directive on Commercial Credit\n                       Card Services.\n\nMonitoring       \xe2\x80\xa2   On-going Monitoring\n                     3 The supervisor of the individual with signature authority for TPDS checks does not perform periodic\n                        reviews of the EDCAPS reports on the checks issued by OSERS.\n\x0c"